1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Gerd Hoffmann <kraxel@redhat.com>
3 Date: Fri, 1 Sep 2017 14:57:39 +0200
4 Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions
6 Instead pass around the address (aka offset into vga memory).
7 Add vga_read_* helper functions which apply vbe_size_mask to
8 the address, to make sure the address stays within the valid
9 range, similar to the cirrus blitter fixes (commits ffaf857778
12 Impact: DoS for privileged guest users. qemu crashes with
13 a segfault, when hitting the guard page after vga memory
14 allocation, while reading vga memory for display updates.
17 Cc: P J P <ppandit@redhat.com>
18 Reported-by: David Buchanan <d@vidbuchanan.co.uk>
19 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
20 Message-id: 20170828122906.18993-1-kraxel@redhat.com
22 hw/display/vga-helpers.h | 202 ++++++++++++++++++++++++++---------------------
23 hw/display/vga.c | 5 +-
24 hw/display/vga_int.h | 1 +
25 3 files changed, 114 insertions(+), 94 deletions(-)
27 diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h
28 index 94f6de2046..5a752b3f9e 100644
29 --- a/hw/display/vga-helpers.h
30 +++ b/hw/display/vga-helpers.h
31 @@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize,
35 +static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
37 + return vga->vram_ptr[addr & vga->vbe_size_mask];
40 +static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
42 + uint32_t offset = addr & vga->vbe_size_mask & ~1;
43 + uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
44 + return lduw_le_p(ptr);
47 +static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
49 + uint32_t offset = addr & vga->vbe_size_mask & ~1;
50 + uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
51 + return lduw_be_p(ptr);
54 +static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
56 + uint32_t offset = addr & vga->vbe_size_mask & ~3;
57 + uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
58 + return ldl_le_p(ptr);
64 -static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
65 - const uint8_t *s, int width)
66 +static void vga_draw_line2(VGACommonState *vga, uint8_t *d,
67 + uint32_t addr, int width)
69 uint32_t plane_mask, *palette, data, v;
72 - palette = s1->last_palette;
73 - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
74 + palette = vga->last_palette;
75 + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
77 for(x = 0; x < width; x++) {
78 - data = ((uint32_t *)s)[0];
79 + data = vga_read_dword_le(vga, addr);
81 v = expand2[GET_PLANE(data, 0)];
82 v |= expand2[GET_PLANE(data, 2)] << 2;
83 @@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
84 ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];
85 ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];
92 @@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
94 * 4 color mode, dup2 horizontal
96 -static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,
97 - const uint8_t *s, int width)
98 +static void vga_draw_line2d2(VGACommonState *vga, uint8_t *d,
99 + uint32_t addr, int width)
101 uint32_t plane_mask, *palette, data, v;
104 - palette = s1->last_palette;
105 - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
106 + palette = vga->last_palette;
107 + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
109 for(x = 0; x < width; x++) {
110 - data = ((uint32_t *)s)[0];
111 + data = vga_read_dword_le(vga, addr);
113 v = expand2[GET_PLANE(data, 0)];
114 v |= expand2[GET_PLANE(data, 2)] << 2;
115 @@ -160,24 +186,24 @@ static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,
116 PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
117 PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
127 -static void vga_draw_line4(VGACommonState *s1, uint8_t *d,
128 - const uint8_t *s, int width)
129 +static void vga_draw_line4(VGACommonState *vga, uint8_t *d,
130 + uint32_t addr, int width)
132 uint32_t plane_mask, data, v, *palette;
135 - palette = s1->last_palette;
136 - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
137 + palette = vga->last_palette;
138 + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
140 for(x = 0; x < width; x++) {
141 - data = ((uint32_t *)s)[0];
142 + data = vga_read_dword_le(vga, addr);
144 v = expand4[GET_PLANE(data, 0)];
145 v |= expand4[GET_PLANE(data, 1)] << 1;
146 @@ -192,24 +218,24 @@ static void vga_draw_line4(VGACommonState *s1, uint8_t *d,
147 ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];
148 ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];
156 * 16 color mode, dup2 horizontal
158 -static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
159 - const uint8_t *s, int width)
160 +static void vga_draw_line4d2(VGACommonState *vga, uint8_t *d,
161 + uint32_t addr, int width)
163 uint32_t plane_mask, data, v, *palette;
166 - palette = s1->last_palette;
167 - plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
168 + palette = vga->last_palette;
169 + plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
171 for(x = 0; x < width; x++) {
172 - data = ((uint32_t *)s)[0];
173 + data = vga_read_dword_le(vga, addr);
175 v = expand4[GET_PLANE(data, 0)];
176 v |= expand4[GET_PLANE(data, 1)] << 1;
177 @@ -224,7 +250,7 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
178 PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
179 PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
186 @@ -233,21 +259,21 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
188 * XXX: add plane_mask support (never used in standard VGA modes)
190 -static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,
191 - const uint8_t *s, int width)
192 +static void vga_draw_line8d2(VGACommonState *vga, uint8_t *d,
193 + uint32_t addr, int width)
198 - palette = s1->last_palette;
199 + palette = vga->last_palette;
201 for(x = 0; x < width; x++) {
202 - PUT_PIXEL2(d, 0, palette[s[0]]);
203 - PUT_PIXEL2(d, 1, palette[s[1]]);
204 - PUT_PIXEL2(d, 2, palette[s[2]]);
205 - PUT_PIXEL2(d, 3, palette[s[3]]);
206 + PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]);
207 + PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]);
208 + PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]);
209 + PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]);
216 @@ -256,63 +282,63 @@ static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,
218 * XXX: add plane_mask support (never used in standard VGA modes)
220 -static void vga_draw_line8(VGACommonState *s1, uint8_t *d,
221 - const uint8_t *s, int width)
222 +static void vga_draw_line8(VGACommonState *vga, uint8_t *d,
223 + uint32_t addr, int width)
228 - palette = s1->last_palette;
229 + palette = vga->last_palette;
231 for(x = 0; x < width; x++) {
232 - ((uint32_t *)d)[0] = palette[s[0]];
233 - ((uint32_t *)d)[1] = palette[s[1]];
234 - ((uint32_t *)d)[2] = palette[s[2]];
235 - ((uint32_t *)d)[3] = palette[s[3]];
236 - ((uint32_t *)d)[4] = palette[s[4]];
237 - ((uint32_t *)d)[5] = palette[s[5]];
238 - ((uint32_t *)d)[6] = palette[s[6]];
239 - ((uint32_t *)d)[7] = palette[s[7]];
240 + ((uint32_t *)d)[0] = palette[vga_read_byte(vga, addr + 0)];
241 + ((uint32_t *)d)[1] = palette[vga_read_byte(vga, addr + 1)];
242 + ((uint32_t *)d)[2] = palette[vga_read_byte(vga, addr + 2)];
243 + ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)];
244 + ((uint32_t *)d)[4] = palette[vga_read_byte(vga, addr + 4)];
245 + ((uint32_t *)d)[5] = palette[vga_read_byte(vga, addr + 5)];
246 + ((uint32_t *)d)[6] = palette[vga_read_byte(vga, addr + 6)];
247 + ((uint32_t *)d)[7] = palette[vga_read_byte(vga, addr + 7)];
257 -static void vga_draw_line15_le(VGACommonState *s1, uint8_t *d,
258 - const uint8_t *s, int width)
259 +static void vga_draw_line15_le(VGACommonState *vga, uint8_t *d,
260 + uint32_t addr, int width)
267 - v = lduw_le_p((void *)s);
268 + v = vga_read_word_le(vga, addr);
272 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
279 -static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,
280 - const uint8_t *s, int width)
281 +static void vga_draw_line15_be(VGACommonState *vga, uint8_t *d,
282 + uint32_t addr, int width)
289 - v = lduw_be_p((void *)s);
290 + v = vga_read_word_be(vga, addr);
294 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
300 @@ -320,38 +346,38 @@ static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,
304 -static void vga_draw_line16_le(VGACommonState *s1, uint8_t *d,
305 - const uint8_t *s, int width)
306 +static void vga_draw_line16_le(VGACommonState *vga, uint8_t *d,
307 + uint32_t addr, int width)
314 - v = lduw_le_p((void *)s);
315 + v = vga_read_word_le(vga, addr);
319 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
326 -static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,
327 - const uint8_t *s, int width)
328 +static void vga_draw_line16_be(VGACommonState *vga, uint8_t *d,
329 + uint32_t addr, int width)
336 - v = lduw_be_p((void *)s);
337 + v = vga_read_word_be(vga, addr);
341 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
347 @@ -359,36 +385,36 @@ static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,
351 -static void vga_draw_line24_le(VGACommonState *s1, uint8_t *d,
352 - const uint8_t *s, int width)
353 +static void vga_draw_line24_le(VGACommonState *vga, uint8_t *d,
354 + uint32_t addr, int width)
364 + b = vga_read_byte(vga, addr + 0);
365 + g = vga_read_byte(vga, addr + 1);
366 + r = vga_read_byte(vga, addr + 2);
367 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
374 -static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,
375 - const uint8_t *s, int width)
376 +static void vga_draw_line24_be(VGACommonState *vga, uint8_t *d,
377 + uint32_t addr, int width)
387 + r = vga_read_byte(vga, addr + 0);
388 + g = vga_read_byte(vga, addr + 1);
389 + b = vga_read_byte(vga, addr + 2);
390 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
396 @@ -396,44 +422,36 @@ static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,
400 -static void vga_draw_line32_le(VGACommonState *s1, uint8_t *d,
401 - const uint8_t *s, int width)
402 +static void vga_draw_line32_le(VGACommonState *vga, uint8_t *d,
403 + uint32_t addr, int width)
405 -#ifndef HOST_WORDS_BIGENDIAN
406 - memcpy(d, s, width * 4);
416 + b = vga_read_byte(vga, addr + 0);
417 + g = vga_read_byte(vga, addr + 1);
418 + r = vga_read_byte(vga, addr + 2);
419 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
427 -static void vga_draw_line32_be(VGACommonState *s1, uint8_t *d,
428 - const uint8_t *s, int width)
429 +static void vga_draw_line32_be(VGACommonState *vga, uint8_t *d,
430 + uint32_t addr, int width)
432 -#ifdef HOST_WORDS_BIGENDIAN
433 - memcpy(d, s, width * 4);
443 + r = vga_read_byte(vga, addr + 1);
444 + g = vga_read_byte(vga, addr + 2);
445 + b = vga_read_byte(vga, addr + 3);
446 ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
453 diff --git a/hw/display/vga.c b/hw/display/vga.c
454 index 533d8d7895..13e4a5d55d 100644
455 --- a/hw/display/vga.c
456 +++ b/hw/display/vga.c
457 @@ -1005,7 +1005,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
460 typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d,
461 - const uint8_t *s, int width);
462 + uint32_t srcaddr, int width);
464 #include "vga-helpers.h"
466 @@ -1666,7 +1666,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
469 if (!(is_buffer_shared(surface))) {
470 - vga_draw_line(s, d, s->vram_ptr + addr, width);
471 + vga_draw_line(s, d, addr, width);
472 if (s->cursor_draw_line)
473 s->cursor_draw_line(s, d, y);
475 @@ -2170,6 +2170,7 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate)
477 s->vbe_size = s->vram_size;
479 + s->vbe_size_mask = s->vbe_size - 1;
481 s->is_vbe_vmstate = 1;
482 memory_region_init_ram(&s->vram, obj, "vga.vram", s->vram_size,
483 diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
484 index dd6c958da3..ad34a1f048 100644
485 --- a/hw/display/vga_int.h
486 +++ b/hw/display/vga_int.h
487 @@ -94,6 +94,7 @@ typedef struct VGACommonState {
489 uint32_t vram_size_mb; /* property */
491 + uint32_t vbe_size_mask;
493 bool has_chain4_alias;
494 MemoryRegion chain4_alias;